apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: cert-manager-webhook
  {{- include "helm_lib_module_labels" (list . (dict "app" "webhook")) | nindent 2 }}
webhooks:
  - name: validate.webhook.cert-manager.io
    namespaceSelector:
      matchExpressions:
        - key: "cert-manager.io/disable-validation"
          operator: "NotIn"
          values:
            - "true"
        - key: "name"
          operator: "NotIn"
          values:
            - d8-cert-manager
    rules:
      - apiGroups:
          - "cert-manager.io"
          - "acme.cert-manager.io"
        apiVersions:
          - "v1"
        operations:
          - CREATE
          - UPDATE
        resources:
          - "*/*"
    admissionReviewVersions:
    - v1
    # This webhook only accepts v1 cert-manager resources.
    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
    # this webhook (after the resources have been converted to v1).
    matchPolicy: Equivalent
    failurePolicy: Fail
    sideEffects: None
    clientConfig:
      caBundle: {{ .Values.certManager.internal.webhookCert.ca | b64enc }}
      service:
        name: cert-manager-webhook
        namespace: d8-cert-manager
        path: /validate
